[emerg] (13)Permission denied: couldn’t grab the accept mutex

I installed Apache on a diskless FreeBSD-9/amd64 server. Once I added SSL, the web server wouldn’t start. It died with:

[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:17 2011] [alert] Child 1733 returned a Fatal error... Apache is exiting!

Google says that the fix for this is to define AcceptMutex flock somewhere in httpd.conf. Google shows dozens of mailing list discussions that give this advice, but without explanation. Every so often, someone whinges about it not working, and doesn’t get a response.

This is an example of what I call “Occult IT.” There are certain recipes that people just follow, without understanding why. We stumble around, grasping for invocations and incantations that will fix our problem. I don’t just want the ritual that will solve the problem; I want to know why the problem happened and deepen my understanding of the issue.

Besides, adding AcceptMutex flock didn’t work.

To identify the problem, I set LogLevel to debug in httpd.conf and tried starting httpd again.

[Mon Mar 21 16:03:18 2011] [debug] prefork.c(1018): AcceptMutex: flock (default: flock)

I didn’t have that configuration setting in my httpd.conf, but it’s the Apache default anyway. So, what are my other choices?

Apache documentation says that the AcceptMutex setting determines how Apache serializes incoming requests. The flock setting dictates how Apache locks the LockFile.

My configuration doesn’t have a defined LockFile, so choosing how we lock it isn’t going to help.

I don’t like lock files. Bad stuff happens to them. Let’s try a locking method without a lockfile. The documentation lists two different classes of locking mechanisms. flock and fcntl work on lock files. posixsem, pthread, and sysvsem use the in-memory mechanisms of semaphores and/or mutexes to provide locking.

As I don’t like lock files, I’ll try one of the in-memory mechanisms.

AcceptMutex posixsem

And Apache starts and runs perfectly.

I can’t find any details on the differences between these in-memory mechanisms, from a system administrator’s point of view. I imagine that the System V mechanism wouldn’t work if you’d removed that support from your kernel. But the point is:

Do not rely on occult IT. Read The Fine Manual.

Confession

Yes, The Great Committer was an April Fools’ gag. I didn’t expect anyone to actually believe it, but it gathered a few laughs, so I’m content.

Far more successful was the FreeBSD and NetBSD to merge gag that Dan Langille and I pulled back in 2003. The United Nations Fretbsd.org site has long since expired, but Dan archived it. (Eight years later, and I still giggle madly about the moose in that one.) That one actually sucked in a reporter from an reputable tech site, who pestered Dan and I for details all day.

John Baldwin really did surpass PHK’s commit total, however, and deserves credit for working so hard on FreeBSD. I heard from John on Friday, and while I’m not going to be so gauche as to copy his email here, I can honestly say that I am relieved that I did not displease The Great Committer.

FreeBSD Project Reorganization

I’m pleased to be the first to announce that the FreeBSD Project is reorganizing. This will appear on the FreeBSD home page next week, but journalistic ethics decree that I must act when I get a scoop.

FreeBSD has always been something of a meritocracy, where the respect given to committers is directly proportional to the amount and quality of code they commit. This is tracked in the commit statistics. For many years, Poul-Henning Kamp (phk@) was the undisputed leader, but in 2010 his total was exceeded by relative newcomer John Baldwin (jhb@). Baldwin’s commits show no sign of slowing, and if he continues at this pace, he will soon overtake the combined totals of Foundation President Robert Watson and embedded emeritus Warner Losh.

The FreeBSD Project has a variety of leadership roles and teams, such as the Core Team, the Ports Management team portmgr, and so on. These teams have helped FreeBSD’s broad developer base coordinate their efforts, work together, and streamline FreeBSD’s internal processes.

Effective immediately, all such teams are disbanded.

John Baldwin is to be henceforth known as The Great Committer. He alone will dictate the FreeBSD Project’s direction and where its resources will be allocated. All commits will be credited to The Great Committer, as all commits will touch his work in some way and hence would not be possible without His knowledge, experience, and all-around wisdom.

“It’s clear that our current model just doesn’t work,” said Robert Watson. “In the sixteen years the FreeBSD Project has existed, and the decades BSD had before it, we’ve had at least four distinct generations of leadership. We’ve developed processes for mentoring and grooming our own leaders, letting people move on when they wanted. Frankly, it’s a lot of work, and I don’t know how many more decades we could keep that up. The Great Committer won’t put up with that sort of churn, I’m sure. Once you’re a FreeBSD committer, you’re in for life. However long that is.”

“I’m really glad that The Great Committer has taken this step,” said Wilko Bulte, FreeBSD core team member. “People think that the FreeBSD Core Team made all these high-level decisions, when really we broke up fights and inducted new members. All that email and discussion took a lot of time. Now that The Great Committer has condescended to claim his rightful place, we can get back to doing what’s important — namely, doing everything we can to increase the already bounteous glory of The Great Committer.”

Security Officer Colin Percival said, “We’ve worked tirelessly to ensure FreeBSD’s security. I don’t even know how many man-months I’ve spent auditing code and investigating reports, let alone other members of the FreeBSD Security Team. But now, The Great Committer has decreed that FreeBSD is secure. All praise to The Great Committer!”

The Public FreeBSD Developer Track at BSDCan 2011 will now alternate between technical talks and praising The Great Committer. In addition to learning about exciting features such as Capcisum, attendees will practice making index-finger-and-pinky “Beastie Horns” to salute The Great Committer. Attendees will also witness the unveiling of the official The Great Committer banners, forty feet tall and hand-painted on silk.

No active OpenBSD developers could be bothered to comment, but Jason Dixon, OpenBSD slacker, stated “It’s about time the FreeBSD bums realized that they needed a benevolent despot. Maybe they’ll do something useful now.” A phone call to the NetBSD Foundation got a recording that the Board of Directors could be reached at the pub.

The FreeBSD Foundation is raising funds for a 200-foot golden statue of The Great Committer, to be erected near the University of California Berkeley campus. Its stern visage will remind the university denizens of their second-greatest three-letter claim to fame. The Great Committer has declared that there are no rumors that the statue’s eyes will be lasers that will automatically target users of lesser operating systems.

Meanwhile, The Great Committer has ordered that someone bring him a sandwich. And a beer. And Bill Gates’ lunch money.

You can contribute to the Foundation through DonateNow or in person at BSDCan. There’s no guarantee that the Foundation will use your particular donation to fund the statue, but they will assuredly use it for FreeBSD.

NOON UPDATE: It seems that The Great Committer has declared that HAMMER will be the new default filesystem.

New review of Absolute FreeBSD

There’s a new review of Absolute FreeBSD at the Java Users Group Lugano Web site. I can’t find a way to link to this particular review, so this link goes to the review page. I expect it will eventually scroll off the bottom.

I do try to batch reviews, but four years after the book hit the shelves, I think I’d have to wait quite a while for the next one.

While I’ve said that only silence or thanks is appropriate for a negative review, thanks are also appropriate for a positive review. Thank you, Celestino Bellone, for taking the time to write up your impressions.

Dealing with Negative Reviews

Pop quiz: what do you do when someone releases an excoriating online review about something you’ve sweated blood over?

a) Leave a vitriolic comment questioning the reviewer’s integrity and decency.
b) Leave a bitter comment calling the reviewer an idiot.
c) Leave a vengeful comment declaring war.
d) A, B, and C, with lots and lots and lots and lots of comments
e) Give up. Never do anything again.
f) Close your browser and get on with your life.

I thought most authors understood the best answer, but then I came across a review where the author not only responded, she melted down. Spectacularly. So I thought it might be worthwhile to say something about dealing with negative reviews of your work.

Remember, reviews are not for the author. They are for prospective readers. The reviewer is not claiming you are a bad person. He is stating that your work did not meet his needs, expectations, or standards. Most negative reviews of my work amount to “I don’t like the tone and attitude of this book.” That’s OK. I deliberately use that tone and attitude, in the belief that the number of people who will appreciate it exceeds the number of people it will annoy.

Sometimes, negative criticism is actually constructive. If I don’t learn from my mistakes, who will?

The correct response to a negative review is: silence.

An even better response would be to send the reviewer a two-sentence note: Thank you for taking the time to review my book. Sorry you didn’t like it, but I appreciate your effort. Sincerely, Your-Name-Here. But I’m not that good of a human being.

Nonfiction Tuckerization Auctions?

For centuries, authors have traded mentions in a book for cold hard cash. Today, this is most often done for charity, as a Tuckerization auction. As a BSD author, though, I think that there’s a way to put this to use to raise development money for various BSD projects. BSD always needs money.

When Absolute FreeBSD came out, the FreeBSD Foundation auctioned off the first copy off the press. It raised $600. I suspect that getting your name in the book, or being able to name something in the book, might raise more.

I’m considering hold an auction to, say, let a reader name something in a tech book: a server, a sample user, whatever. I’d mention their winner by name in the acknowledgments. The money would go to the project covered in the book, and I would ask someone from the project to run the auction. (I don’t want to go near that money, as I’d probably spend it foolishly, for food or shelter or soap.)

I’d need some basic rules — the desired name would have to get past my publisher, for example, so obscenities are out. You couldn’t blatantly insult people — while I’m fine with naming my example server LucasDroolz, I’m not comfortable using someone else’s words to abuse other people. When I insult someone, I want to do it personally.

Would this be a publicity stunt? It would be publicity, yes. But the real goal is to extract money from you and give it to a developer.

Of course, setting up such an auction would be time and expense. I’d risk my own time and expense on such an idea, but this would mean asking other people to do so as well. Therefore, my question for readers is:

Would you bid in such an auction? Given the cause, how much would you bid? Do you think it’s a stupid idea? I’m also open to suggestions on where to run such an auction. eBay has a charity option, but they still take a cut. I suspect there’s a better choice.

Please reply in the comments, not email.

Roundcube/pgsql on FreeBSD

My employer’s current webmail solution is pretty tightly tied to the mail server. We need a webmail solution, but I want to be able to move, change, and upgrade webmail independently of the mail server. I’m testing Roundcube, running on FreeBSD-current/amd64 diskless on KVM.

First install Roundcube. Go to /usr/ports/mail/roundcube and run make config-recursive. You can use MySQL, PostgreSQL, or SQLite. Personally, I’m a Postgres bigot, mainly because Postgres has inflicted less pain than MySQL over the years. (Remember, punishing someone less feels like a reward!) I selected postgres, disabled mysql, then chose other environment-specific options such as LDAP. After configuring all of roundcube’s dependencies, run make all install clean.

No matter the database you prefer, in FreeBSD the client is packaged and built separately from the database server. I built /usr/ports/databases/postgresql84-server. Normally I would enable PAM, to enable database authentication via the operating system authentication, but that’s apparently broken as of this writing.

I want to modify httpd.conf as little as possible, so I do most of my configuration via files in /usr/local/etc/apache/Includes. I create the following files:

vhosts.conf
NameVirtualHost *:80
NameVirtualHost *:443

And of course, we need to acces webmail over SSL. Here’s ssl.conf:

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
AcceptMutex posixsem
SSLMutex "file:/var/run/www/ssl_mutex"

I use RCS for minor stuff like this, so I need to block web site visitors from viewing my RCS files. Here’s blockRCS.conf


Order allow,deny
Deny from all
Satisfy All

Finally, here’s the configuration for the webmail virtual server, webmail.conf. The most interesting thing here is that I automatically redirect HTTP connections to HTTPS. (Perhaps interesting is the wrong word. “Least uninteresting?” Yeah, that’s better.)

AddType application/x-httpd-php .php

ServerName webmail.domain.com
Redirect permanent / https://webmail.domain.com/
ServerAdmin webmail@domain.com
ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_error_log.%Y-%m-%d-%H_%M_%S 86400 -300"
CustomLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_access_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined
DocumentRoot /usr/local/www/webmail/

Options None
AllowOverride All
Allow from all



ServerAdmin webmail@domain.com
ServerName webmail.domain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLOptions +StdEnvVars

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCertificateFile etc/apache22/certs/webmail.domain.com.crt
SSLCertificateKeyFile etc/apache22/certs/webmail.domain.com.key
ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_ssl_error_log.%Y-%m-%d-%H_%M_%S 86400 -300"
CustomLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_ssl_access_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined
DocumentRoot /usr/local/www/roundcube/

Options Indexes FollowSymLinks
AllowOverride All
Allow from all

Initialize your postgresql database. I got Postgres help from here.

# /usr/local/etc/rc.d/postgresql initdb

Edit your Postgres config file, /usr/local/pgsql/data/postgresql.conf. Be sure that your database is only listening on the loopback address.

listen_addresses = 'localhost'

If you’re a Postgres guru, make any other changes you like. Then configure loggin in /etc/syslog.conf:

!postgres
*.* /var/log/pg.log

The log files must exist before syslogd will write to them.

# touch /var/log/pg.log
# chown pgsql:pgsql /var/log/pg.log

Now run /usr/local/etc/rc.d/postgresql start and check for errors. It should start without trouble, unless you mucked with your configuration too much.

Normally I would edit pg_hba.conf to tie my account password to PAM, and through PAM to LDAP, but as that’s broken right now, I’ll create a local user.

# su pgsql
$ createuser -sdrP mwlucas
Enter password for new role:
Enter it again:

Now create the Roundcube database, as per the instructions.

$ createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb -O roundcube -E UNICODE roundcubemail
$ psql roundcubemail
psql (8.4.7)
Type "help" for help.

roundcubemail=# alter user roundcube with password 'WeHatesWebmail';
ALTER ROLE
roundcubemail=# \c - roundcube
psql (8.4.7)
You are now connected to database "roundcubemail" as user "roundcube".
roundcubemail=> \i SQL/postgres.initial.sql

After a bunch of SQL spammage, we have a database. Log out with:

roundcubemail=> \q

Roundcube needs two configuration files, db.inc.php and main.inc.php. Go to /usr/local/www/roundcube/config and copy the .dist versions of these files.

Tell Roundcube where to find its database by setting a DSN in db.inc.php.

$rcmail_config['db_dsnw'] = 'pgsql://roundcube:WeHatesWebmail@localhost/roundcubemail';

In main.inc.php, set your mail server. (If you don’t set a mail server, Roundcube will let you connect to any mail server you like. This would confuse my users. Confusion leads to phone calls, something I avidly avoid.)

$rcmail_config['default_host'] = 'mail.domain.com';

Verify that pgsql and Apache are running, and browse to your webmail site. You have a webmail server!

Overall, the setup was pretty straightforward. I’m not saying I’ll keep Roundcube, but my test users are basically content, so it’s a strong candidate.

experiments in publishing

Readers who don’t care about my non-technical writing should skip this post.

My friends include authors who are traditionally published, and some who are self-published. Both groups make excellent cases for their choices, and I’m not going to argue against anyone else’s decisions. Whatever works for you, live and let live, and so on.

But both sets make excellent arguments for what I should do with my career. Both sets tell me my non-technical work is good enough to make it. The traditional authors tell me to keep knocking at the doors of the Big Six publishers, and eventually I will get in. The self-publishers tell me that I have more “platform” than many traditionally published novelists, and I should leverage that to bootstrap my non-technical writing career.

It’s an emotional topic. People are very vested in their opinions. I can argue either side, and my opinion tends to vary depending on whoever I’ve spoken to most recently. The way to answer questions is with an experiment. Experiments start with a falsifiable statement. Here’s mine. “I have sufficient platform to profitably self-publish fiction on ereader platforms.”

Now, some conditions. What, exactly, is “profitable”? Here are some rough numbers that would probably make an accountant cry, but they’re adequate for this experiment.

Big Name authors sell short stories for thousands of dollars. Medium Name authors sell short stories for about $500. No-name authors sell short stories for prices from $10 to free. My first sale was for $100, but all others were for $10. I’m a no-name. So, let’s classify my writing labor as a $10 expense.

Ebooks need a cover. My graphic design skills are roughly equivalent to a badger’s. I can get an adequate cover for $25, largely due to the curiosity of my artist friend Brad McDevitt about the results.

Software to transform a document into an eBook is free. I started with Mobipocket Creator to transform a PDF into Amazon’s Kindle format, and then used Calibre to transform it into the Barnes & Noble ereader format. To reach the Apple audience, as well as a whole bunch of smaller retailers, I need to use Smashwords’ .doc file upload. I’ve experimented with each of these, and I believe that once I have a hang of them I’ll be able to upload to all three sites in about an hour. How much is my authorial time worth? Judging by the $10 price of a completed short story: not much. How about the time of a skilled software operator? That’s a little better. I’ll call it $20/hour.

I could add in a share of the computer, office space, and so on, but that’s all stuff I need for my tech writing business. I’m not going to count that. Similarly, I own a Kindle, for my own purposes, but I’ll use it to test my early ebook builds. I won’t count that, either. Should this be successful, all these would become legitimate expenses.

The expenses to publish a short story are, roughly speaking, $55.

The going price for ereader short stories is $0.99. Amazon gives authors a 35% royalty on $0.99 items, or $0.35 per sale. I must sell 157 copies of a story to break even.

One big question is, “is the work good enough to sell?” I’ll control for that by starting with stories I have previously sold, but whose rights have reverted back to me. If I have success with them, I’ll try a couple pieces that have never sold.

Time is another factor — if I sell 157 copies over 10 years, is that a win? No. How about one year? Maybe.

The first story is up on Amazon. I still need to do B&N and Smashwords.

A month or so after I have the first one up on all three sites, I’ll report my initial results.

Buy My Books for Japanese Disaster Relief

Tuesday, 22 March, O’Reilly, No Starch Press, and Tidbits will donate all revenue, less author royalties, from Deal of the Day sales to the Japanese Red Cross. This includes all of my books available in electronic format: Absolute FreeBSD, Cisco Routers for the Desperate, and Network Flow Analysis.

If you’ve been waiting to pick up any of my books in electronic format — or any books by other NSP/O’Reilly/Tidbits authors — this is the day. Today only. You want them all. I know you do.

If you already own everything I’ve written, in both paper and electronic form, why not try something from another author? Everybody needs to know how to build Badass Lego Guns. Or you can just give directly to the Japanese Red Cross.

I’ll tweet this multiple times through the day. The O’Reilly site will be announcing totals throughout the day.

short story on Kindle

My short story Opening the Eye is now on Amazon as a $0.99 ebook. This story first appeared in Horror Library vol 2.

This story is in that hazy ground between urban fantasy and horror. If you enjoy that sort of thing, please check it out. If you like it, please leave a review. It won’t show up in most Amazon searches unless there’s a certain number of reviews.

If you don’t enjoy that sort of story, don’t read it. If you’re related to me, you don’t want to read this one. Trust me.

I’m not going to turn this blog into a plea for people to read these things, but I will briefly mention when they’re available in new places, such as the Nook or the Apple bookstore.

This is an experiment. (I have experimental conditions and everything!) But more on that later this week.